So, go on and create a script with an obscure and un-guessable name (security through obscurity), for example, deploy-correcthorsebatterystapler.php. Next, make a POST hook on the repo of your choice to call said php script.

What does the deploy script do?

Our script will do four things:

Parse the payload sent by Bitbucket servers.

Check the payload data.

Pull from the remote repository.

Log results.

Note step 3 - Pulling from the remote repository. For that, we'll need to create a SSH key so that our PHP user can access and modify the remote repo without a password.

Setting up SSH

Who am I?

First, we need to find out who the PHP user is. We could do that through a PHP script that executes whoami in the shell. Run this:

<?php echo exec('whoami'); ?>

Depending on the configuration, you could get apache, www-data, or any other. My PHP user is www-data, and since I'm lazy, I'll write the post using www-data.

Creating keys for www-data

For creating the keys, we basically need to:

Access the shell as the www-data(Requires sudo).

Create keys.

Add BitBucket.org as host for that key in the config file.

To give commands as any other user, we do sudo -u <username> <command>. So in this case, we'll do sudo -u www-data.

The first step is to create a SSH key pair. Run sudo -u www-data ssh-keygen -t rsa. That would show the directory where SSH keys are stored for www-data, and, create a key pair. You'll be prompted for the name and password of the key. I set the name to id_rsa-git, feel free to name it anything; but the password should be blank.

Now, we need to create a config file in www-data's SSH directory. A config file tells which host uses what key for SSH access. cd to the SSH directory (mine was /var/www/.ssh) and create file config in that folder.

(You may need to change permissions of .ssh to 0700 for cding in, do that by running sudo chmod 0700 /var/www/.ssh.)

Put the output of $_POST['payload'] to payload.log, and run a testing push. A new file, payload.log, will be created and you'll find demo data. Visiting the URL from your web browsers will let you retain and test with actual payload data. You can the use echos for testing, instead of the complicated file_put_contents(). Pretty cool, right?